Separation Logic. Part 3. Arthur Charguéraud. February / 66

Size: px

Start display at page:

Download "Separation Logic. Part 3. Arthur Charguéraud. February / 66"

Edwin Rogers
5 years ago
Views:

1 Separation Logic Part 3 Arthur Charguéraud February / 66

2 Content Reasoning about loops For loops While loops Repeat-loops Total correctness Frame in a while loop Higher-order iterators for pure containers Higher-order iterators for mutable containers Specication of objects 2 / 66

3 Example of a for-loop let facto n = let r = ref 1 in for i = 2 to n do let v =!r in r := v * i; done ;!r Before the loop: r ãñ 1 At each iteration: from r ãñ pi 1q! to r ãñ i! After the loop (assuming n ě 1): r ãñ n! Loop invariant, with i P r2, n ` 1s: I i r ãñ pi 1q! 3 / 66

4 Reasoning rule for for-loops For any loop invariant I of type int Ñ Hprop: a ď b H Ź I a I pb ` 1q Ź Q P ra, bs. ti iu t 1 tλtt. I pi ` 1qu thu pfor i a to b do t 1 q tqu Instantiation on the example, where I i r ãñ pi 1q! 2 ď n ` 1 r ãñ 1 Ź r ãñ p2 1q! r ãñ pn ` 1 1q! Ź r ãñ P r2, ns. tr ãñ pi 1q!u body tλtt. r ãñ pi ` 1 1q!u tr ãñ 1u pfor i 2 to n do bodyq tr ãñ n!u 4 / 66

5 General rule for for-loops Rule when a ď b: a ď b H Ź I a I pb ` 1q Ź Q P ra, bs. ti iu t 1 tλtt. I pi ` 1qu thu pfor i a to b do t 1 q tqu Rule when a ą b: a ą b H Ź Q tt thu pfor i a to b do t 1 q tqu General rule: H Ź I a I pmax a pb ` 1qq Ź Q P ra, bs. ti iu t 1 tλtt. I pi ` 1qu thu pfor i a to b do t 1 q tqu 5 / 66

6 While loops in A-normal form Eect of conversion to A-normal form of a while loop: let facto n = let r = ref 1 in let k = ref 2 in while! k <= n do r :=!r *!k; incr k; done ;!r. let facto n = let r = ref 1 in let k = ref 2 in while ( let i =!k in i <= n) do let i =!k in let n =!r in r := i * n; incr k; done ;!r 6 / 66

7 Reasoning rule for while-loops, partial correctness The loop invariant I describes the state between every iterations. The post-condition J describes the state after the evaluation of t 1. H Ź I tiu t 1 tju tj trueu t 2 tλtt. Iu J false Ź Q tt thu pwhile t 1 do t 2 q tqu where pi : Hpropq and pj : bool Ñ Hpropq. 7 / 66

8 Verication of a while loop H Ź I tiu t 1 tju tj trueu t 2 tλtt. Iu J false Ź Q tt thu pwhile t 1 do t 2 q tqu let facto n = let r = ref 1 in let k = ref 2 in while ( let i =!k in i <= n) do let i =!k in let n =!r in r := i * n; incr k; done ;!r Instantiation of the rule: H k ãñ 2 r ãñ 1 I Di. k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s J b Di. k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s rb true ô i ď ns Q λtt. k ãñ n r ãñ n! 8 / 66

9 Problem with the while loop H Ź I tiu t 1 tju tj trueu t 2 tλtt. Iu J false Ź Q tt thu pwhile t 1 do t 2 q tqu Duplication between I and J: I Di. k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s J b Di. k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s rb true ô i ď ns 9 / 66

10 Reasoning rule for repeat, partial correctness New language construct: repeat t 1 do tt while t 1 Reasoning rule: H Ź I tiu t 1 tλb. if b then I else pq ttqu thu prepeat t 1 q tqu Remark: the post-condition uses a logical if-then-else. 10 / 66

11 Translation of while loops into repeat loops Translation scheme: do t 1 while t 2 repeat pt 1 ; t 2 q while t 1 do t 2 repeat pif t 1 then pt 2 ; trueq else falseq Translation of while loops in A-normal form: while plet x t 0 in bq do t 2 repeat plet x t 0 in if b then pt 2 ; trueq else falseq 11 / 66

12 Encoding a while loop using repeat. while let i =!k in i <= n do let i =!k in let n =!r in r := i * n; incr k; done ; repeat let i =!k in if i <= n then begin let i =!k in let n =!r in r := i * n; incr k; true end else false done ; 12 / 66

13 Reasoning about while loops using repeat H Ź I tiu t 1 tλb. if b then I else pq ttqu thu prepeat t 1 q tqu Reasoning about while plet x t 0 in bq do t 2, encoded as (1) Check: H Ź I (2) Check: repeat plet x t 0 in if b then pt 2 ; trueq else falseq tiu t 0 tq 1 b true ñ tq 1 xu t 2 tλtt. Iu b false ñ Q 1 x Ź Q tt tiu plet x t 0 in if b then pt 2 ; trueq else falseq tλb. if b then I else pq ttqu 13 / 66

14 Verication of a repeat loop, partial correctness let facto n = let r = ref 1 in let k = ref 2 in repeat let i =!k in if i <= n then begin let i =!k in let n =!r in r := i * n; incr k; true end else false done ;!r Instantiation of the rule: H k ãñ 2 r ãñ 1 I Di. k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s Q λtt. k ãñ n r ãñ n! 14 / 66

15 Reasoning rule for repeat, total correctness Need to check: H Ź I tiu!k tq 1 u H k ãñ 2 r ãñ 1 I Di. k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s Q λtt. k ãñ n r ãñ n! i ď n ñ tq 1 xu plet i =!k in... incr kq tλtt. Iu i ď n ñ Q 1 x Ź Q tt In the true branch, from r ãñ i pi 1q!, we deduce r ãñ ppi ` 1q 1q!. In the false branch, from pi ď nq and r2 ď i ď n ` 1s, we get i n ` / 66

16 Reasoning rule for repeat, total correctness From partial correctness: to total correctness: H Ź I tiu t 1 tλb. if b then I else pq ttqu thu prepeat t 1 q tqu H Ź I X ti Xu t 1 tλb. if b then pdy. I Y ry ă Xsq else pq ttqu thu prepeat t 1 q tqu where A is a user-specied type, px 0 : Aq, px : Aq, pi : A Ñ Hpropq, and pă : A Ñ A Ñ Propq is a well-founded relation. 16 / 66

17 Verication of a repeat loop, total correctness let facto n = let r = ref 1 in let k = ref 2 in repeat let i =!k in if i <= n then begin let i =!k in let n =!r in r := i * n; incr k; true end else false done ;!r Instantiation of the rule: H k ãñ 2 r ãñ 1 Q λtt. k ãñ n r ãñ n! A int I i k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s X 0 2 i 1 ă i i ă i 1 ď n ` 1 H Ź I X ti Xu t 1 tλb. if b then pdy. I Y ry ă Xsq else pq ttqu thu prepeat t 1 q tqu 17 / 66

18 Content Reasoning about loops Frame in a while loop Length with a while loop While loops by induction In-place increment Higher-order iterators for pure containers Higher-order iterators for mutable containers Specication of objects 18 / 66

19 Length with a while loop let rec mlength (p:'a cell ) = let t = ref 0 in let f = ref p in while! f!= null do incr t; f := (! f ). tl ; done!t Assume the pre-condition is p Mlist L. What is the loop invariant? 19 / 66

20 Length with a while loop: invariant Loop invariant, in partial correctness: I DL 1 L 2 q. f ãñ q p MlistSeg q L 1 q Mlist L 2 rl L 1``L 2 s t ãñ L 1 20 / 66

21 Length with a while loop: termination Loop invariant, in total correctness: I L 2 DL 1 q. f ãñ q p MlistSeg q L 1 q Mlist L 2 rl L 1``L 2 s t ãñ L 1 with: A list int X 0 L l ă pv :: lq H Ź I X ti Xu t 1 tλb. if b then pdy. I Y ry ă Xsq else pq ttqu thu prepeat t 1 q tqu 21 / 66

22 Need for list segments Observation: mlength dened using let rec does not require list tp Mlist Lu pmlength pq tλn. rn length Ls p Mlist Lu mlength dened using while seems to require list segments: I D... p MlistSeg q L 1 q Mlist L / 66

23 Proofs by induction for loops Semantic equivalence: while t 1 do t 2 if t 1 then pt 2 ; while t 1 do t 2 q else tt Reasoning rule: thu pif t 1 then pt 2 ; while t 1 do t 2 q else ttq tqu thu pwhile t 1 do t 2 q tqu Ñ proof by induction on a logical variable (ocurring in H and Q). 23 / 66

Length with a while loop: induction @L f qn. tf ãñ q q Mlist L f t ãñ nu pwhile!f!= null do incr t; f :=!f.tl doneq tλtt.

24 Length with a while loop: f qn. tf ãñ q q Mlist L f t ãñ nu pwhile!f!= null do incr t; f :=!f.tl doneq tλtt. f ãñ null q Mlist L f t ãñ pn ` length L f qu Show the pre- and the post-condition to hold of the following code: if!f!= null then (incr t; f :=!f.tl; while... done) else () 24 / 66

25 Length with a while loop: f nq. tf ãñ q q Mlist L f t ãñ nu pif!f!= null then (incr t; f :=!f.tl; while... done) else () q tλtt. f ãñ null q Mlist L f t ãñ n ` length L f u Case q null. Then L f nil. The pre-condition entails the post. Case q null. Then L f x :: L 1 f, and length L f 1 ` length L 1 f, and the state is: f ãñ q q ÞÑ t hd=x; tl=q 1 u q 1 Mlist L 1 f t ãñ n and after incr t; f :=!f.tl the state becomes: f ãñ q 1 q ÞÑ t hd=x; tl=q 1 u q 1 Mlist L 1 f t ãñ n ` 1 25 / 66

26 Length with a while loop: illustration Recursive call on: f ãñ q 1 q 1 Mlist L 1 f t ãñ n ` 1 f ãñ null q 1 Mlist L 1 f t ãñ pn ` 1 ` length L 1 f q After putting back q ÞÑ t hd=x; tl=q 1 u, we get: f ãñ null q Mlist L f t ãñ pn ` length L f q 26 / 66

27 In-place increment in a list let rec list_incr (p:'a cell ) = let f = ref p in while! f!= null do let q =!f in q. hd <- q. hd + 1; f := q. tl ; done Exercise: what specication? loop invariant? loop induction principle? 27 / 66

28 In-place increment in a list Specication: Loop invariant: DqL 1 L 2. tp Mlist Lu plist_incr pq tλtt. p Mlist pmap p`1q Lqu f ãñ q p MlistSeg q pmap p`1q L 1 q q Mlist L 2 rl L 1``L 2 s Loop specication, for a proof by 2. tf ãñ q q Mlist L 2 u pwhile... doneq tλtt. f ãñ null q Mlist pmap p`1q L 2 qu 28 / 66

29 Content Reasoning about loops Frame in a while loop Higher-order iterators for pure containers Function acting over a reference List.iter Constraints over the items Map Fold-left More functions on lists Higher-order iterators for mutable containers Specication of objects 29 / 66

30 Notation Adding an item at the tail of a list: L&x L``px :: nilq Pure pre-conditions as hypotheses: trp s Hu t tqu P ñ thu t tqu Specication of a boolean value: b istrue P pb true ô P q 30 / 66

31 Forall predicate Asserting properties about list items: Forall P L Denition: Forall P nil P x Forall P L Forall P px :: Lq Similarly: Denition: Forall2 P L 1 L 2 Forall2 P nil nil P x 1 x 2 Forall2 P L 1 L 2 Forall2 P px 1 :: L 1 q px 2 :: L 2 q 31 / 66

32 Function acting over a reference let refapply r f = r := f!r 1 r. ñ tr su pf vq tλy. ry v 1 su tr ãñ vu prefapply r fq tλtt. r ãñ v 1 u 32 / 66

33 Applying a function over a reference, generalization let refapply r f = r := f!r let s = ref 0 in let f x = incr s; 2* x in let r = ref 42 in refapply r f Generalized 1 rhh 1. ñ thu pf vq tλy. ry v 1 s H 1 u tpr ãñ vq Hu prefapply r fq tλtt. pr ãñ v 1 q H 1 u 33 / 66

34 Iteration over a pure list let rec iter f l = match l with [] -> () x :: t -> f x; iter f t ñ `@xk. ti ku pf xq tλtt. I pk&xqu ti nilu piter f lq tλtt. I lu 34 / 66

35 Length using iter let length l = let r = ref 0 in iter ( fun x -> incr r) l;!r Specication: `@xk. ti ku pf xq tλtt. I pk&xqu ñ ti nilu piter f lq tλtt. I lu Invariant: I k r ãñ k Specialization to the invariant, where f x incr r: `@xk. tr ãñ k u pf xq tλtt. r ãñ k ` 1u ñ tr ãñ 0u piter f lq tλtt. r ãñ l u 35 / 66

36 Sum using iter let sum l = let r = ref 0 in iter ( fun x -> r :=!r + x) l;!r What is the invariant? I k r ãñ Sum k where: Sum k Fold p`q 0 k 36 / 66

37 Verication of iter let rec iter f l = match l with [] -> () x :: t -> f x; iter f t ñ `@xk. ti ku pf xq tλtt. I pk&xqu ti nilu piter f lq tλtt. I lu How to prove that this specication of iter is correct? 37 / 66

38 Verication of iter ti ku pf xq tλtt. I pk&xqu Prove: by generalizing it ti nilu piter f lq tλtt. I ti ku piter f sq tλtt. I pk``squ 38 / 66

39 Verication of iter let rec iter f l = match l with [] -> () x :: t -> f x; iter f t ti ku pf xq tλtt. I pk&xqu ti ku piter f sq tλtt. I pk``squ By induction on l: Case s nil. We have ti ku piter f lq tλtt. I pk``nilqu Case s x :: t. By the rule for sequences: ti ku pf xq tλtt. I pk&xqu ti pk&xqu piter f tq tλtt. I ppk&xq``tqu ti ku pf x; iter f tq ti pk``squ because pk&xq``t k``px :: tq k``s. 39 / 66

40 Constraints over the items Specication of ñ ti ku pf xq tλtt. I pk&xqu ti nilu piter f lq tλtt. I lu What about the following application? iter ( fun x -> r :=!r +. sqrt x) [2.0; 3.0] Generalized `@xk. x P l ñ ti ku pf xq tλtt. I pk&xqu ñ ti nilu piter f lq tλtt. I lu 40 / 66

41 Constraints over the items Given a list x 1 :: x 2 :: x 3 :: nil, compute b a? x1 ` x 2 ` x 3. let r = ref 0. in iter ( fun x -> r := sqrt (! r +. x )) [2.; -1.; 3.] Generalized `@xkk 1. l k``x :: k 1 ñ ti ku pf xq tλtt. I pk&xqu ñ ti nilu piter f lq tλtt. I lu 41 / 66

42 Specication of map let rec map f l = match l with [] -> [] x :: k -> (f x )::( map f k) l. ñ p@x. tr su pf xq tλx 1. rp x x 1 suq tr su pmap f lq tλl 1. rforall2 P l l 1 su Ñ This specication forbids any visible side eect of f. 42 / 66

43 Verication of map l. ñ tr su pf xq tλx 1. rp x x 1 suq tr su pmap f lq tλl 1. rforall2 P l l 1 su Proof by induction on l. Ñ Case l nil. Use the relation: Forall2 P nil nil. Ñ Case l x :: t. Derive the relation: Forall2 P px :: tq px 1 :: t 1 q. tr su pf xq tλx 1. rp x x 1 su tr su pmap f tq tλt 1. rforall2 P t t 1 su tr su pf x :: map f tq tλl 1. rforall2 P l l 1 su 43 / 66

44 Generalized specication of map Specication of l. ñ tr su pf xq tλx 1. rp x x 1 suq tr su pmap f lq tλl 1. rforall2 P l l 1 su Specication of ñ `@xk. ti ku pf xq tλtt. I pk&xqu ti nilu piter f lq tλtt. I lu Combining the Il. ñ `@xk. ti ku pf xq tλx 1. rp x x 1 s I pk&xqu ti nilu pmap f lq tλl 1. rforall2 P l l 1 s I lu 44 / 66

45 Concised specication of map Combined specication, with I renamed into Jl. `@xk. tj ku pf xq tλx 1. rp x x 1 s J pk&xqu ñ tj nilu pmap f lq tλl 1. rforall2 P l l 1 s J lu Dene: I k k 1 J k rforall2 P k k 1 s More concise Il. `@xkk 1. ti k k 1 u pf xq tλx 1. I pk&xq pk 1 &x 1 qu ñ ti nil nilu pmap f lq tλl 1. I l l 1 u 45 / 66

46 Specication of fold-left Description: fold f i r6 :: 4 :: 7s f pf pf i 6q 4q 7 Implementation: let rec fold f i l = match l with [] -> i x :: k -> fold f (f i x) k ñ `@xik. ti i ku pf i xq tλj. I j pk&xqu ti a nilu pfold f a lq tλb. I b lu 46 / 66

47 Application of fold-left let sum l = fold (+) 0 l What is the invariant? I i k ri Sum ks where Sum k Fold p`q 0 k. Proof: `@xik. tri Sum ksu p(+) i xq tλj. rj psum kq ` xsu ñ tr0 Sum nilsu pfold (+) 0 lq tλb. rb Sum lsu Deriving the specication of (+) tr su p(+) u vq tλr. rr u ` vsu 47 / 66

48 Specication of nd let rec find f l = match l with [] -> None x :: k -> if f x then Some x else find f k l. ñ p@x. tr su pf xq tλb. rb istrue pp xqsuq tr su pfind f lq tλo. r match o with None ñ Forall p P q l Some x ñ Dkt. l k``x :: t ^ Forall p P q k ^ P x su 48 / 66

49 Specication of sort List. sort ( fun x y -> x - y) ^ ñ total-order pĺq p@xy. tr su pf x yq tλn. rn ď 0 ô x ĺ ysuq tr su psort f lq tλl 1. rpermut l l 1 ^ sorted pĺq l 1 su 49 / 66

50 Content Reasoning about loops Frame in a while loop Higher-order iterators for pure containers Higher-order iterators for mutable containers Iterating over a mutable list Mapping over a mutable list Iterating over a mutable list of distinct mutable items Find over a mutable list Specication of objects 50 / 66

51 Iterating over a mutable list let rec miter f p = if p == null then () else (f p. hd ; miter f p. tl ) 51 / 66

Iterating over a mutable list How to adapt the specication of iter? @fil. `@xk. ti ku pf xq tλtt.

52 Iterating over a mutable list How to adapt the specication of `@xk. ti ku pf xq tλtt. I pk&xqu ñ ti nilu piter f lq tλtt. I lu Specication of pil. `@xk. ti ku pf xq tλtt. I pk&xqu ñ tp Mlist l I nilu pmiter f pq tλtt. p Mlist l I lu 52 / 66

53 Mapping a function over a mutable list Mapping a function over elements, in place: let rec mmap f p = if p == null then () else (p. hd <- f p. hd ; mmap f p. tl ) 53 / 66

54 Mapping a function over a mutable list Recall the concise specication of Il. `@xkk 1. ti k k 1 u pf xq tλx 1. I pk&xq pk 1 &x 1 qu ñ ti nil nilu pmap f lq tλl 1. I l l 1 u Specication of 1. `@xkk 1. ti k k 1 u pf xq tλx 1. I pk&xq pk 1 &x 1 qu ñ tp Mlist l I nil nilu pmmap f pq tλtt. Dl 1. p Mlist l 1 I l l 1 u 54 / 66

55 Mapping a function over a mutable list: example Mapping a function over elements, in place: mmap ( fun x - > x + 1) p How to instantiate I in the 1. `@xkk 1. ti k k 1 u pf xq tλx 1. I pk&xq pk&x 1 qu ñ tp Mlist l I nil nilu pmmap f pq tλtt. Dl 1. p Mlist l 1 I l l 1 u Take: or, equivalently: I k k 1 rk 1 map p`1q ks I k k 1 rforall2 P k k 1 s with P x x 1 px 1 x ` 1q 55 / 66

56 Representation of a list of references Dp 1 p 2 p 3. p Mlistof Id pp 1 :: p 2 :: p 3 :: nilq p 1 Ref 8 p 2 Ref 5 p 3 Ref 2 Equivalent to: p Mlistof Ref p8 :: 5 :: 2 :: nilq 56 / 66

57 Polymorphic representation predicate for mutable lists p Mlistof Ref p8 :: 5 :: 2 :: nilq p Mlistof R L match L with nil ñ rp nulls X :: L 1 ñ Dxp 1. p ÞÑ t hd=x; tl=p 1 u p 1 Mlistof R L 1 x R X 57 / 66

58 Incrementing a mutable list of distinct references miter ( fun x -> incr x) [ ref 5; ref 3] Take the invariant: Specialized specication for pil. ñ I K K 1 rk 1 map p`1q Ks `@xkk 1 n. ti K K 1 x Ref nu pf xq tλtt. I pk&nq pk 1 &pn ` 1qq x Ref pn ` 1qu tp Mlistof Ref L I nil nilu pmiter f pq tλtt. DL 1. p Mlistof Ref L 1 I L L 1 u 58 / 66

59 Iterating over a mutable list of mutable items Generalization to a list of the form p Mlistof R pirl. ñ `@xkk 1 X. ti K K 1 x R Xu pf xq tλtt. DX 1. I pk&xq pk 1 &X 1 q x R X 1 u tp Mlistof R L I nil nilu pmiter f pq tλtt. DL 1. p Mlistof R L 1 I L L 1 u 59 / 66

60 Function mnd let rec mfind f p = if p == null then None else if f p. hd then Some p else mfind f p. tl Assume a pure function and a list of integers. What is the specication? 60 / 66

61 Function mnd l. ñ tr su pf xq tλb. rb istrue pp xqsuq tp Mlist lu pmfind f pq tλo. match o with None ñ p Mlist l rforall p P q ls Some q ñ Dkt. p MlistSeg q k q Mlist px :: tq rl k``x :: t ^ Forall p P q k ^ P xs u 61 / 66

62 Function mnd on list of mutable items Consider a mutable list of references: p Mlistof Ref p3 :: 6 :: 2 :: nilq. mfind ( fun r ->!r > 5) p Generalized RL. ñ p@xx. tx R Xu pf xq tλb. x R X rb istrue pp Xqsuq tp Mlistof R Lu pmfind f pq tλo. match o with None ñ p Mlistof R L rforall p P q Ls Some q ñ DKT. p Mlistsegof R q K R Mlistof q px :: T q rl K ``X :: T ^ Forall p P q K ^ P Xs u 62 / 66

63 Content Reasoning about loops Frame in a while loop Higher-order iterators for pure containers Higher-order iterators for mutable containers Specication of objects The counter object Internal specication External specication 63 / 66

64 The counter object Creation of a counter: let new_counter () = object val mutable cur = 0 method step () = cur <- cur + 1 method read () = cur end Using a counter: let c = new_counter () in c# step (); c# step (); let x = c# read () in assert ( x = 2) 64 / 66

65 The counter object: internal specication Shorthand: p Obj pn, f, gq p ÞÑ t cur=n; read=f; step=g u Specication of a counter object: p Counter n Dfg. p Obj pn, f, gq r@i. tp Obj pi, f, gqu pg ()q tλtt. p Obj pi ` 1, f, gqus r@i. tp Obj pi, f, gqu pf ()q tλx. rx is p Obj pi, f, gqus 65 / 66

66 The counter object: external specication let c = new_counter () in c# step (); c# step (); let x = c# read () in assert ( x = 2) Specication exposed to the end-user: tr su pnew_counter()q tλp. p tp Counter iu pp #step()q tλtt. p Counter pi ` 1qu tp Counter iu pp #read()q tλx. rx is p Counter iu 66 / 66

Example of a for-loop. Separation Logic. The repeat construct. Reasoning rule for for-loops. Before the loop:

Example of a for-loop. Separation Logic. The repeat construct. Reasoning rule for for-loops. Before the loop: Example of a for-loop Separation Logic Part 3 Arthur Charguéraud February 2015 let facto n = let r = ref 1 in for i = 2 to n do let v =!r in r := v * i; done;!r Before the loop: r ãñ 1 At each iteration: